Security and data protection compliance is a shared responsibility between CloudBlue an Ingram Micro business and each customer. The shared responsibility model is a useful approach to illustrate the different responsibilities of CloudBlue (as a data processor or sub-processor) and customers (as either data controllers or data processors) under the applicable data protection laws. Under the shared responsibility model, CloudBlue is responsible for the security of the cloud, while the customer is responsible for security in the cloud. Shared model configuration depends on the CloudBlue services that customers elect to use and how those services are integrated into customers’ IT environments. Depending on this configuration, the responsibility of the provider (processor or sub-processor) or the customer (controller), may vary.
The services provided by CloudBlue will typically fall under one or more of these categories, as explained further under section “What is a data processor”:
- Software as a Service (“SaaS”)
- Platform as a Service (“PaaS”)
The following diagram reflects the distribution of responsibilities in the case of a SaaS Configuration:
In case of using a PaaS or IaaS, the data controller could have additional responsibilities, which is represented in the following diagram:
At Ingram Micro, our highest priority is securing our customers’ data, and we implement rigorous contractual, technical, and organizational measures to protect the confidentiality, integrity, and availability of the information regardless of the region where the customer is located and the origin of the data.
Considering the above, to ensure compliance with its own obligations as a processor, CloudBlue has implemented appropriate measures to cover the risk associated with the processing of personal data as part of the provision of the cloud services to its customers. Further to that, Ingram Micro’s data protection program is a global one, applicable to all its operations world wide and built based on the requirements of the GDPR. All security and data protection standards and practices required to be respected in the European Union are also implemented and respected by Ingram Micro in non-European Union locations.
Ingram Micro offers to its CloudBlue customers a GDPR-compliant and industry standard Data Processing Agreement which provides the necessary commitments and assurance regarding the processing and handling of customer’s personal data by Ingram Micro through the provision of CloudBlue business offerings.
Our partners and customers have trusted CloudBlue for more than 20 years as their cloud technology partner of choice. We take security and privacy seriously and have established an extensive vendor review and onboarding process which includes the Cyber Security Agreement. Our Information Security, Legal, Privacy, and Compliance teams conduct due diligence reviews for each vendor based on numerous factors, some of which include:
- the type of data being hosted or shared.
- the confidentiality and sensitivity of the data.
- the vendor’s privacy and data handling practices.
- the vendor’s incident management and business continuity practices.